[cap-talk] Confused Deputy gets a new name in Web 2.0 lingo
Ka-Ping Yee
cap-talk at zesty.ca
Tue Oct 17 02:00:49 CDT 2006
On Mon, 16 Oct 2006, Tyler Close wrote:
> On 10/16/06, Ka-Ping Yee <cap-talk at zesty.ca> wrote:
> > In a confused deputy situation, the deputy inadvertently abuses authority.
> > Is it the browser or the bank that is making the decision to exercise
> > the authority? I say the bank. If you prefer to say the browser, you
> > can, it just means that you have chosen to see the browser as conveying
> > an authorization to the bank.
>
> By that characterization all attacks would be defined as Confused
> Deputy attacks, since in all attacks, authority is abused by some
> actor. I think the term "Confused Deputy" is necessarily more narrowly
> defined than you would seem to have it.
That was a statement about confused deputies, not a definition of the
term. I think your interpretation is valid. As i've said already
off-list, feel free to edit the page to reflect the interpretation that
makes the most sense to you. You don't need my permission to do so.
-- ?!ng
More information about the cap-talk
mailing list